Researchers have discovered a new, sophisticated spyware app for Android disguised as a software update.
According to Zimperium zLabs, the malware disguises itself as a system update to silently spy on user and phone data. It should be noted, however, that this app that the team discovered was found on a third-party repository, and Not on the official Google Play Store.
Once installed, the victim’s device is registered with a Firebase Command and Control (C2) server used to issue commands, while a separate, dedicated C2 is used to manage data theft.
Data theft is triggered as soon as one of the conditions is met, such as adding a new mobile phone contact, installing a new app, or receiving an SMS message.
Malware is a remote access Trojan horse (RAT) that can steal GPS data, SMS messages, contact lists, call logs, collect photos, videos, and record audio secretly through a microphone, hijack a mobile device’s camera to take pictures, review browser bookmarks and dates, intercept phone calls, and steal information. Operational on the phone, including storage statistics and lists of installed applications.
Instant messaging content is also at risk because the virus is misusing access services to access these applications, including WhatsApp.
If the device falls victim to this malware, it can also obtain its database records. The app can also search specifically for file types like .pdf,. doc,. docx,. xls and. xlsx.
Malware will also try to steal files from external storage. However, since some content, such as videos, may be too large to be stolen without affecting the connection, only the thumbnails are stolen.
The researchers pointed out that “when the victim uses Wi-Fi, all the stolen data from all folders is sent to C2, while when the victim uses a mobile data connection, only a specific set of data is sent to C2.”
Restricting the use of a mobile phone connection is one way to prevent users from suspecting that their devices are at risk. Also, once the information is packaged and sent to C2, the archive files are deleted in an attempt to go undetected.
To ensure only relevant and up-to-date data is obtained, the creators of these malware have imposed time limits on content, such as the most recent GPS logs, which are stolen from time to time only if they have values less than five minutes in the past. For photos, the timer is set to 40 minutes.
Zimperium describes malware as part of a “complex spyware campaign with complex capabilities”.
Earlier this month, Google pulled a number of Android apps from the Play Store that contained a dropper for banking trojans. Utility apps, including a VPN service, a recorder, and a barcode scanner, were used to install mRAT and AlienBot.
Here you’ll find helpful tips for removing malware, trojans, and spyware.
Are you sure you are protecting your data and connected devices over the Internet? Download our free e-book to learn tips and tricks to increase your safety on the Internet.